Security awareness

Employee Security Awareness Programs: the Real ROI

December 11, 2015 by Ian Palmer

DigiCert, the SSL certificate provider, verifies the authenticity of secure websites so as to prevent online phishing scams. So it should come as no surprise that the company’s external focus is matched by internal efforts to ensure that workers have the cybersecurity skills they need.

Dan Timpson, chief technology officer at the company, says that DigiCert does a number of things to raise cybersecurity awareness in the workplace.

“There’s a couple of ways that we do that,” he explains. “There are phishing attacks that happen almost on a daily basis, and only a fraction of the members of the company here at DigiCert understand phishing. So we’ve implemented a program whereby people can report suspicious email to our security team, and we see that that gets used daily, actually.”

Timpson acknowledges that he’s not exactly sure what the return on investment is for the extensive security awareness training that DigiCert provides for employees. Even so, he insists that it is more than worth it especially when mulling over the costs – financial, reputational and otherwise – associated with breaches stemming from cyberattacks. Meanwhile, providers of cybersecurity training, such as Wombat Security Technologies, insist that companies really can figure out an ROI to justify investing in training their employees.

The Real ROI

While it can be argued that the very threat of cybersecurity attacks justifies investing in security awareness programs whether or not an ROI can be worked out, a study by Ponemon Institute and Wombat shows that businesses can indeed come up with a dollar figure.

In The Cost of Phishing and Value of Employee Training, Ponemon looks at how Wombat’s training could impact the yearly cost of phishing to organizations – which the study places at $3.77 million for organizations with about 10,000 employees. The results show that companies can be on the receiving end of a 50x ROI on training and $1.8 million in annual savings.

Security Awareness Training

Timpson says that he hasn’t necessarily read a study that focuses on ROI for security awareness programs. Nonetheless, he adds that headlines highlighting recent examples of large reputable businesses suffering breaches present enough reason to make a move.

“To me, that’s a good enough justification to say, ‘Ok, team, let’s work together to put something in place that really does work,'” he explains, adding that another component of a successful cyber awareness program is the involvement of leaders at the company. Specifically, Timpson is one of the C-level executives at the DigiCert who is personally involved.

“We’re very passionate about making sure that people inside the company understand the threats and the climate out there today,” he says. “So we periodically meet several times throughout the year to debrief employees…on what’s coming up.”

Viraf Hathiram, security officer at Sogeti USA, agrees that an effective program needs support from the top.

“To ensure effectiveness, the message needs to come from the very top of an organization – frequently and with impact,” says Hathiram. “To increase the impact, cover only threats posing the greatest risk so that users are not overwhelmed with information. And don’t forget to show relevance to personal life.”

The possible fallout if a lack of training leaves companies susceptible to breaches ranges from the negligible to the serious – such as possible bankruptcy, adds Hathiram. He goes as far as to note that failing to implement a security awareness training program shows a lack of care – and, in the event that there’s a breach, this lack of care could open up the door to possible lawsuits.

Training Makes Sense

While it might be tempting to believe that any training is better than no training, companies should strive for the best possible outcome by selecting the right training from the start.

Amy Baker, vice president of marketing at Wombat, says businesses that feel the need to find a security education provider should not underestimate the importance of learning methodologies.

“The beginning should be ensuring that the security education provider is actually following what we would consider to be good learning methodologies,” she explains.

If finding an education provider with a good learning methodology is the most critical thing, then number two on the list would be selecting an education provider that will allow clients to measure the effectiveness of the training.


“Unfortunately, I believe that too few buyers are looking for something that’s measureable,” explains Baker. “I think that they believe that security education is something that they have to do that may or may not have an impact. And we really believe that it does have an impact. Our customer results and third-party independent research has proven that it can have an impact if it’s done well.”

Susan Mackowiak, marketing communications manager at Wombat, adds that the company has worked with Aberdeen Group to consider the extent to which businesses can reduce organizational risk if they use Wombat’s security education program.

“Security managers need to raise the level of discussion up to the board level or executive management level,” says Mackowiak. “At that level you’re really talking about reduction of risk for the organization.”

It Goes Without Saying

For Timpson, the goal is to equip workers with the tools they need to avoid falling victim to cyberattacks. After all, a company that aims to build trust on the Internet ought to have its own house in order.

“We’ve got mechanisms in place to train our people and [we] have processes that help us raise awareness inside the company,” says Timpson.

The Bottom Line

The risks that companies face in the online environment are real, so training workers should be considered a necessity rather than a value-added bonus.

And while arriving at a precise ROI is nice, businesses should remember that failing to move forward, for want of an exact dollar figure, could increase their odds of being breached. Which could lead to all sorts of problems — financial, reputational and otherwise.

Posted: December 11, 2015
Ian Palmer
View Profile

A Canadian currently based in Ontario, Canada, Ian is a researcher for InfoSec Institute. Over the years, he has written for a number of IT-related sites such as, and